Tuesday, November 12, 2024
HomeCVE/vulnerabilityMicrosoft’s Exchange Server Hack: Key Rotation Flaw Triggers Breach

Microsoft’s Exchange Server Hack: Key Rotation Flaw Triggers Breach

Published on

Malware protection

Storm-0558, a cyberespionage group affiliated with the People’s Republic of China, has reportedly compromised Microsoft Exchange mailboxes of 22 organizations and over 500 individuals between May and June 2023.

This was done by using authentication tokens of accounts that were signed by a Key held by Microsoft in 2016. 

This key was used for secure authentication into remote systems. However, this key was possessed by the threat actor, which provided several permissions to access any information or systems within that key’s domain.

- Advertisement - SIEM as a Service

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Additionally, a single key can have enormous power, which, combined with a flaw in Microsoft’s authentication system, resulted in the threat actor gaining full access to any Exchange online account anywhere in the world.

Moreover, Microsoft is still investigating how Storm-0558 got its hands on this key.

The accounts compromised using this attack included 

  • Senior United States government representatives working on national security matters
  • Email accounts of Commerce Secretary Gina Raimondo, 
  • United States Ambassador to the People’s Republic of China R. Nicholas Burns and
  • Congressman Don Bacon.

Microsoft’s Exchange Server Hack

According to the CSRB reports, during the time the threat actor had access to these sensitive email accounts, they downloaded over 60,000 emails from the State Department. 

Attack vector of Storm-0558 (Source: CISA)

Moreover, the first victim of this intrusion was the State Department, which was on June 15, 2023, when the SOC team detected anomalies in access to their mail systems.

Following this, the next day, there were several security alerts for which they contacted Microsoft.

10-Day Investigations From Microsoft

Microsoft initiated an investigation for the next 10 days and confirmed that the threat actor Storm-0558 had gotten their hands on certain emails through their Outlook Web Access (OWA).

Further, Microsoft also identified 21 different organizations and 500+ users that were impacted by the attack. The impact was further noted by the U.S. government agencies.

In addition to this, Microsoft also found that the threat actor used the OWA for accessing emails directly using tokens which authenticated Storm-0558 as a valid user.

This also specified that these kinds of tokens must be associated with Microsoft’s identity systems only, but unfortunately, they were not. 

Furthermore, the tokens used by the threat actor had digital signatures with a Microsoft Services Account (MSA) cryptographic key that dated back to 2016.

This key was originally intended to be retired by March 2021, providing more insights on the attack.

The Revealing Point

Microsoft initially concluded that the threat actor had forged tokens for accessing these Microsoft Exchange online accounts from affected individuals.

However, after developing some hypotheses they found a flaw in the token validation login used by Microsoft Exchange which could allow any consumer key to access enterprise Exchange accounts if the accounts did not have a code to reject consumer key.

However, it was still not evident enough to prove that the threat actor had obtained and used the 2016 MSA key to compromise the accounts.

By that time, Microsoft recalled an attack performed by the same threat actor in 2021 in which they accessed several documents that were stored in SharePoint as they were looking for information on Azure service management and Identity-related management.

The final stages of investigations revealed some major things: Microsoft had been using manual key rotation mechanisms on enterprise systems and had completely stopped the rotation mechanism after they faced a major outage on one of these activities in 2021. 

This allowed the threat actor to use these consumer keys to forge authentication tokens to access consumer email systems.

However, another previously unknown flaw was combined with this issue, potentially compromising sensitive email accounts and organizations.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...